Many mobile phone applications hold hard-coded secrets that allow others to access private data, according to a study that could lead to new measures to improve smartphone cybersecurity. According to the study, accepted for publication by the IEEE Symposium on Security and Privacy in 2020, mobile phone apps may exhibit hidden or harmful behavior that little to nothing users know about.
Researchers, including Zhiqiang Lin of Ohio State University in the U.S., said mobile apps generally come into contact with users through processing and response to user input. Referring to examples, Lin said, users often have to type certain words or phrases or click buttons and slide screens to take action on their phone. In the study, the researchers evaluated 150,000 apps: 1.00,000 based on the number of downloads from the Google Play Store, the top 20,000 from an alternative market, and 30,000 from pre-installed apps on Android smartphones. They found that 12,706 of those apps contained something that the scientists ‘backdoor secrets’ called: hidden behaviors within the app that accept certain types of content to cause behavior unknown to regular users. The researchers also found that some apps have built-in ‘master passwords’ which allows anyone with that password to access the app and any private information it contains. And some apps, they said, had secret access keys that could activate hidden options, including payment bypass.
“Both users and developers are all at risk if a villain has obtained these ‘back door secrets’,” said Lin. Motivated attackers could reverse engineer the mobile apps to discover them, he added. often mistakenly assume that reverse engineering their apps is not a legitimate threat, added Qingchuan Zhao, another co-author of the Ohio State University study.
“A major reason why mobile apps hold these ‘back door secrets’ is because developers have misplaced trust,” Zhao said. To really secure their apps, he said, developers need to perform security-relevant user input validations and push their secrets on the backend servers. “Many platforms allow user-generated content to be moderated or filtered before it is published,” Zhao said, adding that various social media sites, including Facebook, Instagram and Tumblr, restrict the content that users are allowed to publish on those platforms. #
“Unfortunately, there may be problems – for example, users know that certain words are forbidden in a platform’s policies, but they are not aware of examples of words that are considered forbidden words and could lead to content being blocked without the knowledge of users, “he said. “Therefore, end users may want to clarify vague platform content policies by seeing examples of forbidden words,” added Zhao.
(This story has not been edited by staff and is automatically generated from a syndicated feed.)